The following Case Study & Forensics Analysis is for a global International Insurance company
- Client: Major International Insurance Firm
- Incident: At 11:00 pm the corporate network went down.
- Users could not log onto the network via SSO and Active Directory
- The entire corporate central authentication systems where not working
- Without a way to authenticate email services where inaccessible
- Additional information shared:
- The client is a large insurance firm with a prominent public profile.
- The breach was initially suspected to be a targeted attack.
- Multiple media sources had written accounts of a specific group’s sophisticated hacking capabilities.
- Actions taken during the Forensics Analysis:
- An Incident Response and Forensics Analysis Team was deployed to the client site within 4 hours.
- All available evidence was imaged and backed up.
- Logs were gathered from the internal/external web servers, firewall, routers, IDS/IPS, Windows event logs.
- Evidence files obtained from server hard drives were analyzed.
- All collected logs were correlated and analyzed.
- Services and processes on the effected computers were analyzed.
- Windows Server, Router and firewall configurations were analyzed.
- Every step of the investigation was documented in detail.
- Results:
- The CyberSecOP team discovered a sophisticated botnet with command and control software installed.
- The botnet changed the security policies on the servers preventing authorized users from logging in.
- The botnet was a brand new form of malware, and no public information was available until 12 days later.
- The root cause of the vulnerability was determined by the CyberSecOP team to be due to a mis-configuration of the firewall.
- The CyberSecOP Team provided an analysis report and recommendation on root cause remediation.
- The CyberSecOP Team assisted the client with the root cause remediation process and restored the network and email operation.
- Based on the evaluation, The CyberSecOP team concluded this instance was not the result of a targeted attack.